I am having difficulty with a site to site VPN using the wrong crypto map.
When i try to bring a site to site tunnel up with a 3des / sha1 tunnel the, tunnel tries to use aes / sha1. is there a bug in the 9.1 code that could be causing this issue. I all ready have another 3des / sha1 tunnel up and it works.
crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map0 1 match address outside_cryptomap crypto map outside_map0 1 set pfs crypto map outside_map0 1 set peer 18.104.22.168 crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA crypto map outside_map0 1 set nat-t-disable crypto map outside-_map0 2 match address outside-stevensons_cryptomap_1 crypto map outside_map0 2 set pfs crypto map outside_map0 2 set peer 22.214.171.124 crypto map outside_map0 2 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA crypto map outside-_map0 2 set ikev2 ipsec-proposal Site 2 crypto map outside-_map0 2 set ikev2 pre-shared-key ***** crypto map outside-_map0 3 match address outside-stevensons_cryptomap_2 crypto map outside-_map0 3 set peer 126.96.36.199 crypto map outside-_map0 3 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA crypto map outside-_map0 3 set ikev2 ipsec-proposal Site 3 crypto map outside-_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside-_map0 interface outside-stevensons
The "problem" is probably caused by a misunderstanding of IPsec. You show a config for the protected data (IPsec SAs) which is configured with 3DES and MD5/SHA1. But when you see AES, you are probably looking at the "management"-tunnel (IKE SA) which ist controlled by the "crypto ikev1 policy" commands. And there you are probably having policies with AES.
All in all, I wouldn't see a problem in that. You should even consider using AES with SHA1 if the other side supports that. 3DES and MD5 is legacy and outdated crypto and better algorithms are available. If you can use AES/SHA1, then use that.
-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...